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ABSTRACT 


As the amount of sensitive information stored in databases increases due to the 
current trend to automate Command, Control and Communication (C?) systems, the 
impact of unauthorized access could be very detrimental to our nation's security. 
Access control hardware that uses retinal blood vessel pattern recognition mav be the 
solution to the problem. This thesis looks at one retinal pattern recognition device and 
attempts to determine it's reliability as a function of the data base size stored in 
memory and the number of enrollment scans averaged together to form the reference 
template. The database sizes used consisted of 300, 600 or 1200 templates, and the 
reference templates tested were comprised of 3. 5 or 7 enrollment scans. The 
applicability. of this technology for protecting C systems ıs discussed. This study 
Emieloved the Eve entiiv 7.3 system developed bv Eve Dentify Inc. of Beaverton. 
Oregon. which performed extremely weil bv producing a low TYPE I error rate and no 
TYPE II errors in over 1000 trials. This technology has potential for the protection of 


C? svstems. 
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I. INTRODUCTION 


As our Command, Control and Communications (C5) svstems increasinglv relv 
on computers, databases, and secure communications networks, there is a need for 
accurate and reliable access control hardware. Positive identification of the users 1s 
necessary to ensure that onlv authorized users gain access; and to ensure that an 
accurate audit trail exists, if a violation occurs. Most automated access control 
mechanisms don't provide this level of security. Access control hardware that uses 
retinal blood vessel pattern recognition may be the solution to this problem. 

Access controls are designed to protect information in a computer svstem. There 
are two major aspects to access control of computer resources (FIPS Pub 35.198307 

(1) Identification and authentication of authorızed users 

(2) Authorization for the use of designated resources in the intended manner. 
Both of these are critical to maintaining the integrity of a © svstem. There must be 
controls to ensure that information is protected from unauthorized access 5۲ 
manipulation of sensitive information. Through positive identification of the users, 
there 1s also the added deterrent from misuse of information when one knows that an 
accurate audit trail exists linking them to that information. 


Access controls are based on identifying an individual through (FIPS Pub 83, 


1980): 
(D Something that they know (1.e., passwords) 
(2) Something that they possess (1.e., tokens, keys, security cards) 
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(3) Something about the person (1.e., physical or dynamic characteristics). 
There are advantages and disadvantages to each of the above methods with regards to 
expense, administration, and amount of security provided. 
1) SOMETHING A PERSON KNOWS 

Passwords are the most commonly used and least expensive means to control 
access to computer networks. The advantage of no extra hardware requirements 
decreases the start up costs when implementing the system. The amount of 
administrative work associated with the generation and selection of passwords is a 
function of the level of security one desires for the material being protected. Ihe 


disadvantage of passwords is the possibility that the password can be compromised, 


either intentionally or unintentionally. A password can be used by an unauthorized 
user to gain access and this violation may not be detected until after damage has been 
incurred on the C? System. 

2 | SOMETHING THAT À PERSON POSSESSES 

Special tokens, keys, or security cards can be used to control access and identify 
an individual. Since these items can easilv fall into an unauthorized persons hands 
through loss or theft, thev are usually used in tandem with a password or a Personal 
Identification Number (PIN). This method is more costiv than the use of passwords 
alone due to the additional hardware and administrative requirements. Even when 
Securitv Cards are used with a PIN or password. the possibility still exists that the 
system can be accessed by unauthorized users. 

3) SOMETHING ABOUT THE PERSON 

Since there are inherent drawbacks associated with the other two methods of 
identification. much empnasis has been placed on positive identification through 
personal attributes or characteristics. Biometric recognition devices have been 
developed which can identifv a person bv hand geometrv. fingerprints. signatures. 
speech and retinal blood vessel patterns. One of the major problems with biometric 
recognition 1s the difficulty in performing precise and repeatable measurements on the 
human body. An optimal recognition device can distinguish between the interpersonal 
variation and minimize the effects of intrapersonal variation. Due to the curvilinear 
nature of the human body and the lack of precise reference points to measure from, the 
intrapersonal variation can become exceedinglv large. Most biometric recognition 
devices deal with this problem through the use of tolerance thresholds and allowing the 
user several attempts to get within these limits. Biometric recognition devices can be 
expensive, but are capable of the best security and the lowest administration costs since 
password and security card maintenance are not required. 

There are two types of errors that a biometric recognition device can make: 

(1) TYPE I ERROR - This is, when an authorized user is falsely rejected, usually 
due to intrapersonal variation that is too large and falls outside the tolerance 
threshold limits. 

(2) TYPE II ERROR - This occurs when an individual is falsely accepted and 
allowed access, usuallv due to the tolerance threshold limits being too, large, 
coupled with an individual] with a small interpersonal variation with an 
authorized user. This situation can cause overlaps which can result in TYPE 
Il errors. 

Obviously, one would want a system that minimizes errors, which can be costly. 


TYPE I errors tend to hassle and demoralize authorized users by not allowing them 


access to the system. There are additional costs associated with these errors through 
work lost and the added requirement to have security guards nearby to allow these 
authorized users access. In the C? environment TYPE II errors are unacceptable due 
to the potentially high security risks associated with sensitive information. 

There is a tradeoff between TYPE I and TYPE II error rates. Io 
TYPE I errors by increasing the tolerance thresholds, the TYPE Terror ۵ 
potentionally increase. So, a marginal amount of TYPE I errors may be acceptable in 
order to minimize the possibility of TYPE II errors. 

This study looks at a biometric recognition device that uses retinal blood vessel 
patterns to identify an individual. Retinal blood vessel patterns have been proven to 
be highly individualistic and stable (Simon and Goldstein, 1935). This device compares 
your digitized retinal pattern to one that has been stored in memory. If the difference 
between the scan of your eye and the one in memory is within the tolerance threshold 
linuts, then vou gain access. Otherwise, access is denied. 

The reference template of one’s eve is formed through an enrollment process that 
involves averaging several pictures of your blood vessel pattern. Averaging is used to 
build a more robust reference template to compare against when allowing one access. 
This allows for a degree of intrapersonal variation caused by differences in head and 
eye positioning. 

The Eye Dentify 7.5 system has two basic modes of operation, VERIFY and 
RECOGNIZE. In the VERIFY mode, the user inputs a four digit PIN by pushing 
those numbers on the keypad just before taking the eye scan. The 7.5 system 
compares the template associated with that PIN and the users eve scan. In the 
RECOGNIZE mode, no PIN is required. The 7.5 System searches through the entire 
memory for a match that is within the tolerance threshold limits. 

For the purposes of this studv, the RECOGNIZE mode was used. The 
experiment was designed to determine the effects on TYPE I and TYPE II error rates 
when the database size and the number of enrollment scans used to form the reference 
template are varied. Also considered is the applicability of this technology in C? 


systems. 
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II. THE EXPERIMENT 


A. EQUIPMENT USED 

The Eve Dentifv 7.5 system is a retinal blood vessel pattern recognition device. 
Scientific studies dating back to 1935 support the premise that retinal blood vessel 
patterns are unique to the individual and very stable. Dr. Carleton Simon and Dr. 
Isodore Goldstein published a paper in 1935, which discussed the results of their study 


On using retinal photographs as a means to uniquely identify an individual. 


What is true of the fingerprint system 1s also true of this new system, in that no 
two individuals have the same identification patterns. The many and great 
variety of blood vessel configurations makes it à mathematical certainty thàt no 
two retinal formations are identical. In thousands of photographs, none have 
been found to bethe same. Age or disease may change in tortuosity the lumen 
of the blood vessels, but their position and théir correlation remain. unchanged 
through life, and what 1s ot greatest interest, thev cannot be altered or eíffaced. . . 
۲ ۱۱۱۱۱۵۲۱ and Goldstein. 1933) 


MOSS, Dr. Paul Tower confirmed this previous study when he published a paper 
which concluded that the greatest dissimilarity between Identical Twins was in their 
retinal blood vessel patterns (Tower, 1955). 

1. Hardware 

This system is composed of an eye camera (ICAM), monocular eyepiece, 8 
character LED display, 12 digit keypad (0-9, #, *), SCAN button, 68000 
microprocessor, and bubble memorv all enclosed in a cast aluminum housing (See Fig. 
2.1). There is an I/O interface for a terminal which enables control of the internal 
software functions and operations. An additional I/O auxiliary port is provided to 
allow computer and printer interface. A microcomputer was used in this experiment to 
up and down load the databases from a floppy disk. A printer with a serial to parallel 
converter was used for documentation of collected data. 

2. Eye Camera (ICAM) 

The IC AM» scans a fovea-centered circle on the back wall of the eye, which 
includes the retina and choriod (See Fig. 2.2). The light source is an infrared light 
emiting diode, which has been proven safe for this level and duration of exposure to 
the human eye (Eye Dentifv Inc., 1984). The spectrum and power level used is similar 


to that of a common television remote control device. When in operation, the ICAM 
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Figure 2.1 The Eve Dentiv 7.۵ nd ue 


performs a 450 degree circular scan (1.25 revolutions of the scanner) which ۱ 
digitalizes contrast-relative light and dark areas on the scanning circle. 
3. Recognition Mode 

When operating in the RECOGNITION mode, the 7.5 sustemzusc se 
proprietary algorithm that searches the entire database in bubble memory for the five 
closest templates, then picks the best match. This “best match” must then be within 
the tolerance threshold limits for one to gain access. This process was designed to 
increase the SPEED OF RESPONSE. The SPEED OF RESPONSE Shen 8 
of the database size stored in bubble memorv. Up to 1200 eye templates can be stored 


in bubble memory (Eye Dentify Inc., 1984). 


B.. OBJECTIVE OF THE EXPERIMENTA 

The objective of the experiment was to compute the TYPE IT and ۲ ۱۳۳ ۱ 8 
rates when subjects were tested in nine different situations, where database size and the 
number of enrollment scans that formed their reference template were varied. A 
secondary objective was to monitor the SPEED OF RESPONSE in each situation. 
The database size in bubble memory was varied by using 300, 600 and 1200 eye 
templates. Each subject was enrolled three different times. Each reference template 


was formed in an averaging process that was composed of 3, 5 or 7 eye scans. 
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Scanned Area 





۳۱۳۲ ne Scanning Circle: 


C. EXPERIMENTAL PROCEDURE 
1. Participants 
Twenty two subjects participated on a volunteer basis. There were no 
incentives offered for good performance, just the subject's interest and competitiveness 
Were sufficient. All were military officers, between the ages of 25 and 35, who were 
assigned to the Command, Control and Communications Curriculum at the Naval 
Postgraduate School. There was a good cross-section of subjects with vision that 
required corrective eyewear, elther contact lenses or glasses. The high reflectivitv of 
eyeglasses inhibits the abilitv of the 7.5 svstem to scan the eve, so those subjects that 
wore glasses were asked to remove them for the experiment. Contact lenses appeared 
to have no effect on the person’s performance. Most subjects were familiar with the 
7.5 system, but had not used it extensively. 
2. Enrollment Process 
The first step in the experiment was the enrollment process. A system 
compatible terminal was used to control the internal software functions, allowing one 
to use the 7.5 system’s enrollment function. This is easily accomplished by entering 


“E”, as indicated on the menu. 
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Figure 2.3 Eve Dentify 7.5 System Operation. 
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For the purposes of this experiment, three reference templates were formed for 
each subject. The reference template is formed through an averaging process. The 
number of eye scans averaged together when forming the reference template could have 
ac umcantelleePom IYPE Fand TYPE Trertror rates. The three reference templates 
were composed of 3, 5 or 7 scans. The templates were formed in a random order for 
each subject and at least five minutes transpired between enrollments. Three floppy 
disks were used to store and keep each individual's reference template separate, so each 
floppy disk contained only the 22 subjects whose reference template was formed using 
the same number of scans. A nucrocomputer was used to upload and download the 
templates between the 7.5 system and the floppy disk. The 7.5 system’s bubble 
memory was erased in between each evolution to keep the databases separate. A 
description of this process can be found in Appendix A. 

The USER manual recommends that each subject be enrolled with at least 5 
Seamseand that the average correlation score for all 5 scans be above +0.90. The 
correlation score is a mathematical representation computed by the 68000 
nucroprocessor in the 7.5 svstem, which describes how similar the most recent scan is 
to the template stored in memory. The correlation score could be anv number between 
+ 1.00 to -1.00. Although we strayed from this recommended procedure to test the 
significance of the number of scans used to form the reference template, all but one of 
the twenty two subjects easily averaged above the score of +0.90 during enrollment. 
The subject that had the difficulty with this criteria wore corrective glasses for 
astigmatism. This subject described difficulty in visually maintaining similar head and 
eye positioning between scans. This consistency is necessary for high correlation 
scores. 

To bring consistency to one's approach when operating the 7.5 system, the 
following guidelines were given to each subject prior to each enrollment session and 
prior to each session of the experiment. 

(1) Square the head perpendicular to the machine, resting the forehead on the 
headrest provided. Align the head so the right eve is adjacent to the recessed 
eye port. 

(2) Bv Qoae into the recessed eye port and moving the head slightly, dots of 
light can be seen which form à three dimensional cone. Center the head so 
that the cone appears as a circle. At this point, ensure the head is still 
perpendicular to DE machine. Focus on the center of the circle. 

(3) Press the SCAN button gently. 
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After the SCAN button is pressed (at least two scans are required before a 
correlation score can be computed during enrollment), the enroller is given the choice 
of whether the latest scan 1s averaged into the reference template or discarded. The 
criteria for accepting or rejecting the latest scan was dependent on whether the 
correlation score was above +0.90 or below, only scans above +0.90 were accepted. 

At this point the enroller is given four options: 


(1) Continue the enrollment process so more scans can be averaged sintomi 
۲۱۲۱۱۰ EINIDIALE, 


(2) Restart the process. By activating Restart. all but the latest scan is retained in 
memory. Ail previous scans are discarded. 


(3) Cancel the process. This terminates the enrollment process and discards all 
scans acquired for that individual during that session. Any templates 
previously stored in memory for that individual are not effected. 

(4) Finish, the enrollment process. This allows the enroller to input the ae 


identifier_and the threshold limits for the VERIFY and RECOGN TIONS 


modes. The threshold limit for this experiment in the RECOGNI ION mode 


was set at 0.71 for each individual. 

If a subject consistently scored low, then the restart function was activated. 
This action usuallv resulted in higher correlation scores. If the first scan from an 
individual was poor, this tended to pull the correlation score from all subsequent scans 
down. Bv activaung the restart function, this first poor scan would be discarded 
allowing the consistency of the later scans to result in higher correlation scores. 

3. IBANK Database 

To determine the effects of database size on TYPE I and TYPE II error rates, 
a large database of 1150 subjects was obtained from Eye Dentifv Inc. This database 
was used to obtain the 300, 600 and 1150 template databases used in the experiment. 
This process is described in Appendix B. These databases were stored separately on 
three floppy disks. 

4. Experiment Sessions 

All twenty two subjects were tested in each of the nine situations that can be 
formed when combining the 3 database sizes witl the 3 reference templates for each of 
the 22 subjects. Each trial consisted of 5 samples per subject. For eachsessıones 
randomly selected combination would be stored in the memory of the 7.5 system. The 
subject would go through the scanning procedure five times, looking up between scans. 
The response (accepted or rejected) and the time for the system to respond were 
recorded after each scan. A stopwatch was used to determine the time between the 


pushing of the SCAN button and when the response was displayed. 
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D. RESULTS 

The three-way factorial experiment was designed to determine whether the 
number of TYPE I and TYPE II errors were significantly affected when database size 
and number of enrollment scans are varied. The level of significance was set at @=.05 
during the design phase of the experiment. An analysis of variance was performed on 
the data using the statistical package by SAS Institute Inc.. The analysis of variance 
test allows one to statistically determine if there is any significant effect on the 
Outcome caused by one or several factors. 

During the course of this experiment, there were no TYPE II errors or false 
recognitions observed. Not one subject was misrecognized in over 1000 trials conducted 


Metis experiment. 


TABLE 1 
۱۱۱۱ ۲ ی از‎ CO RS 


THERE WERE 
NO TYPE II ERRORS 





Data was collected to find the recognition rates and times to response in each 
cell. The recognition rate is the number of recognitions for that cell divided by the 
total number of trials for that cell. The recognition rate distribution was expected to 
be binomial in nature, since one is either recognized or not recognized. The variances 


for each cell was computed, and the F.,,,, statistic was applied to determine if the 


X 
variances could be considered as coming from the same population. This is an 
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underlving assumption that must be fulfilled before the results of the analysis of 
variance can be considered valid. The variances fell outside this criterion, so the 
ARCSIN transformation (Y'2 27ARCSIN(SQRT(Y)) was applied to stabilize the 


variances (Winer, 1971). 
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The recognition rate for each cell consisted of 5 samples for each subject. By 
using recognition rate, there was only one data point per cell which made the 
calculation for the 3-way interaction impossible. By pooling the 3-wav interaction with 
the error term the F-statistics were calculated. 

To deternune if the calculated F-statistic 15 significant, one needs To sce if aime 
greater than the F-statistic found in a book of statistical tables. As can be seen from 
Table 2, the only significant F-statistic, was that which related to person. Database 


size and number of enrollment scans were not statistically significant when a=.05. 
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Figures 2.4 and 2.5 show the recognition rate means and 95% Confidence Intervals for 
scan number and database size. There appeared to be an interaction between DB 
SIZE and SCAN that proved statistically insignificant, but was interesting. This 
interaction is highlighted bv Figure 2.6, as one can see the line depicting 5 scans with a 
9899 recognition rate at the 300 template database drop down to 95°%% at the 600 
database, when the 3 and 7 scan lines are increasing. This can be attributed to random 


deviations that can occur and are statistically insignificant. 
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Figure 2.4 Effect of Number of Scans on Average Recognition. 


The average times to response can be seen in Figure 2.7. Time of response was 
effected by the size of the database and whether the individual was recognized or not. 
The distributions appeared to be linear-log in nature, as the time rate of change 
remained constant at 3 seconds as the database size doubled. The time of response for 
NOT RECOGNIZED was consistently about 4 seconds longer than a RECOGNIZED 


response. 
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NHI. DISCUSSION 


A. MEASURES OF EFFECTIVENESS 
To evaluate the effectiveness of a system one must consider how that system is to 
be used, then judge the system in that context. This system was evaluated from the 
perspective of how it would perform in a C? environment. The performance of an 
access control svstem 1s most critical when considered in this arena. 
l TYPE I Error Rate 
The recognition rate and resultant TYPE I error rate were based on only ۴ 
attempt per trial. If several attempts were ailowed for one to be recognized per trial, 
the TYPE I error rate would be significantly lower. For this systems use IMA ٩ 
operational mode, it would be advantageous to allow 5 attempts in order to minimize 
the rejection of authorized users. The overall recognition rate for this experiment in all 
conditions was 94,3%, when the recognition threshold was set at .7/!. The ۲ 
error rate is calculated by subtracting the recognition rate from one, which in this case 
1 
The TYPE I error rate should be low so to allow access to authorized 
personnel with a minimum of inconvenience. In this experiment less than one percent 
were denied access after 3 attempts. When time 1s critical as in the C? environment, 
this system could give some of the personnel problems, since the strongest predictor of 
TYPE I errors in this experiment was the individual. The subject with the worst 
recognition rate was recognized 78% of the time. This may be improved through 
reenrollment since that process is so critical for high recognition rates to be achieved. 
2. TYPE II Error Rate 
There were no TYPE II errors observed during the course of this experiment 
in which over 1000 trials were performed. Other studies have reported similar results 
(Helle, 1985; Masiero, 1986; Maxwell, undated). This is a very critical performance 
parameter in the C? environment. A C? system requires protection from unauthorized 
access, more so than most svstems. Eve Dentify Inc. advertises that there is a one in a 
million chance of a false recognition when one eve is used and significantly better when 
two eves are required to gain access. Sandia Laboratories performed operational tests 


on several biometric devices and reported that the eye recognition device had a 


to 
t3 


significantly lower TYPE II error rate than all the other devices tested. (Maxwell. 
undated) 
3. Time of Response 
Time of response is more important when considering physical access control 
than computer access control. [n physical access control bottlenecks can occur during 
high volume time periods, which can disrupt operations. For computer access control 
one is less likely to experience bottlenecks, but a fast time to response enhances user 
acceptance of the svstem. From the C? perspective, time of response is very important 
when time is limited. The greatest time of response experienced during this studv was 
14 seconds for a not recognized response with 1200 personnel in the database. The 
time fora NOT RECOGNIZED was about 5 to 4 seconds longer than for a recognized 
response, and the time of response was longer as the database size was larger. Itis not 
known what the effects would be on time of response if the database is maintained in a 
Numnirame computer versus in the 7.5 system s bubble memory as was tested in this 
ease, im any event, there is a definite linear relationship between database size and 
search time as shown in Figure 2.7. 
4+. Administration 
The administration of a high level security system can be enormous. Most of 
the administrative time 1s spent maintaining the integrity of passwords and security 
cards. There are many precautions for secure systems when passwords are utilized 
Minder the guidelines set by the National Computer Security Center (DoDCSC, 1985). 
A majority of this burden could be reduced or alleviated through use of a biometric 
recognition device, where passwords and security cards would not be necessary. With 
a biometric device like the 7.5 svstem, the administration time would primarily 
encompass the time spent on enrollment. The enrollment time for this experiment 
averaged about 3 minutes per subject for all enrollments. 
5. User Acceptance 
lhis system is very easy to use. To emphasize the point, the Dade County 
Jail of Miami, Florida has been using this svstem on it's inmates (Eve Dentifv Inc., 
1956). The inmates are enrolled upon entry to the facility and verified when leaving to 
ensure the correct individual is released. Some degree of cooperation is required of the 
subject, but as this demonstrates, one's technical background is unimportant. 
Ihe subjects in this experiment were very curious about the svstem, and 


specifically how the system works. The questions most frequently asked concerned the 
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safety of the scanning process and how the ICAM collected the information from the 
eye. The user acceptance of this device by the subjects of this experiments 
high, once a technical explanation of the system was provided. 

It was observed that some subjects had more difficulty being recognized than 
others. Some of this difficulty can be attributed to the enrollment. There appears to 
be a slight learning curve associated with the use of this equipment that affects some 
people more than others. By reenrolling these individuals and taking advantage of this 
learning curve, the individual should achieve higher correlation scores through more 
consistent head and eve positioning. This was not done in this experiment as each 
subject retained their original reference template through the entire experiment. 

Another cause for lower recognition rates would be from the sub 
carelessness when positioning the head and eve for the scan. There were no incentives 
or rewards given to the subjects for high recognition rates, but generailv the subjects 
had an interest in the technology and therefore tried to do well. The subject might be 
somewhat careless until they get a NOT RECOGNIZED, then would try harderMtem s 
accepted by the svstem. 

6. Cost 

The Eve Dentify 7.5 system used in this experiment costs about"S9 000 mI 
is fairly expensive. The system is a stand alone physical access control device, which 
would maintain physical access control of an entrance to an area. This system was 
designed to work using it’s own bubble memory, but some companies have adapted the 
system so it can use a centralized databank. 

When evaluating the cost effectiveness of a security system, one must consider 
the environment in which it is to perform and the amount of security necessary to 
enable acceptable misk lerek c? environment, the risks are very high and the 
highest performance ıs required. The 7.5 system has performed much better than 
others analvzed in previous studies (Jones, 1956; Maxwell, undated). 

As can be expected from new technology. the costs are generallv higher than 
in older technology. Once the Research and Development costs are recovered as 
production increases and competitors get into the market, the costs should come down 


significantly. This trend is expected to occur with the Eye Dentifv system. 
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B. C? APPLICATIONS 
Command and control is made up of many subsystems as 1s portrayed in the 


Joint Chiefs of Staff (JCS) definition of a command and control system. 


A command and control systemi consists of facilities, equipment, 
communications, procedures, and personnel essential to a commander for 
planning, directing, and controlling operations of assigned forces pursuant to the 
missions assigned. (DoDJCS, 1979) 


Computer svstems are beconung increasingly important for the nulitarv 
commander to fulfill his mission. This reliance on computer systems coupled with the 
high risks involved if the information Is compromised. makes access control to 
computer systems very important to command and control. 

Command and control centers employ many personnel all of which have varving 
degrees of security level clearances. A person must have the clearance to access 
classified information and additionally they require a “need to know” that information. 
Through automation positive identification is possible through retinal blood vessel 
pattern recognition. This requirement of positive identification. as was pointed out 
earlier. 1s not possible with passwords alone. Positive identification enables the 
computer system to check an individuals clearance and “need to know" before access is 
given. 

Physical access control 1s equally important for the maintenance of a C? system. 
Currentlv, mechanisms like cipher locks, kevs, security guards or security cards are 
used for access to C? areas. Many command and control centers are compartmented 
within the physical structure along the lines of security level and “need to know”. 
Positive identification ıs necessary to ensure these requirements are met. Retinal 
recognition could be used to control access to a facility and within the facility to take 
advantage of the added security and avoid the drawbacks associated with the currently 
used methods. 

l. Current Applications 

The acceptance of this technology is already widespread as many corporations 
and nulitarv installations have employed retinal pattern recognition devices. The most 
common application is for physical access security, replacing the need for securitv 
guards, keys, or security cards to gain access. Campbell Engineering designed a 


security access control booth that is used in conjunction with this system (Smart and 


Labarile, 1986). The booth allows only one to enter at a time and has an added 
feature that weighs the individual. This ensures that there is onlv one person, and that 
person is within the weight limits previously determined, thus adding an additional 
criteria for one to enter an area. 

2. Computer System Access Control 

Due to the increasing need for better security of computer Systems ار‎ 
databases within C? systems, this technology can be easily adapted for use as a 
computer system access control device. Most of the 7.5 system functions can be 
carried out from the host computer. The scanning of the user's eve can be performed 
by a small hand heid ICAM. Once the scan has been performed, this data can be 
inserted to the host computer through a jack on the terminal. The host coniputer 
would contain the database with the individual's reference template and the algorithm 
to perform the comparison. This eve scan would be the substitute for the password 
during the LOGON procedure. 

Currently, there 1s a prototype of a small hand held [CAM under development 
by Eve Dentif¥ Inc.. By aggregating most of the software functions of the 7.5 system 
on a host computer and having the hand held ICA M accessible to several terminals at 
a ume, the cost of the svstem could be very reasonable. When one considers the added 
security of such a system and the risks involved with passwords, this may be the wav to 
increase C? system security. 

3. Possible C? Applications 

This technology is basicallv a verv secure wav to replace the existing means to 
gain access, either into a physical area or into a computer system. If the risk of 
unauthorized access ıs high as in C3, then one might want to think about installing a 
system such as this to replace keys, security cards and passwords. The need for 
security guards could also be reduced by a secure automated access control system. 

Database security is one area that could be greatly improved bv a retinal 
recognition system. As C systems become increasingly automated with new sensors 
that collect large amounts of data, processors and decision aids draw from that data to 
help the battlefield commander make informed decisions. The integritv of the database 
must be protected not only from unauthorized reading of sensitive data, but also from 
unauthorized manipulation of data. 

lo economize on space and increase convenience, one database might store 


several classification levels, this is called a multilevel security database. When a 
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workspace is occupied by personnel of different classification levels, there is an 
increased need to ensure that the person entering a password is indeed the person 
authorized to use that password. In a large system. the need for positive identification 
of users multiplies and risk increases. Audit trails tracıng back to personnel who 
accessed certain information may be the only way to find the source of a violation. 
With passwords as the only means to identify the individual, the audit trail may not be 
Correct. 

The function of identifying and verifying an individual could be performed 
within the computer system automatically through use of a retinal recognition device. 
When positive identification can be achieved, there are no compromised passwords to 
worry about, and an accurate audit trail is possible. Passwords can be compromised 
too easilv for their use to continue in these high risk environments. 

Weapon security could also benefit from this technology. Retinal recognition 
could be used to activate large and verv lethal weapon svstems. For nuclear weapons 
two different individual’s eves would be required before the svstem could be activated 
to conform with the two man rule. Such a svstem could minimize the risks associated 
with a weapon that falls into the wrong hands. 

For a command and control computer system to be beneficial to a battlefield 
commander, it needs to be accessible near the front lines and have mobility. In a 
multiservice or joint command there is a constant change of personnel with many 
unfanuliar faces, more so than within one service. This presents a particularly difficult 
security problem. Mobility is degradated by security considerations and constraints as 
it requires a large administrative effort to maintain high standards of security in this C? 
environment. Retinal recognition could be used for physical access controls and 
computer access controls, which could provide improved security. over the existing 
methods with significantly less administrative effort. Mobility and security are two 
criteria for a mobile command post that could be improved through use of retinal 
blood vessel pattern recognition. 

Ihe use of retinal blood vessel pattern recognition to protect C? systems from 
unauthorized access is important for three reasons. First, positive identification can be 
ensured with a high level of confidence, more so than with passwords only. Second, 
accurate audit trails can exist, which act as a deterrent and generate a possible suspect 
list if a violation occurs. And third, there would be a significant reduction in the 
administration of the security aspects of a c? computer system as the stringent 


guidelines concerning passwords would not be required. 
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IV. CONCLUSIONS 


The Eve Dentifv 7.5 system proved to be a very reliable, user friendly and timelv 
access control device with many C? applications. The results of the experiment 
demonstrated that most people will be positively identified at least 94.3% of the time 
On one attempt and 99% on three attempts, regardless of database size and at least 3 
enrollment scans. It was found that the difference in recognition rate was not 
statisticallv significant for 3, 5 or 7 enrollment scans or for database size used. This 
points out a significant time savings when enrolling new personnel. This study shows 
that only 3 enrollment scans is sufficient for most people. There were no false 
recognitions in over 1000 trials. 

Through the necessity to automate many aspects of C3, there is also the necessitv 
to upgrade the protective mechanisms for these svstems. The inherent drawbacks 
associated with passwords and other devices carried by an individual (1.e., securitv card) 
make their use as the sole access control mechanism very risky. Retinal recognition 
devices like the one used in this experiment, offer greater security, less administrative 
costs and enable accurate audit trails to exist. 

Areas requiring further study: 


1) To determine the TYPE I recognition rates when subjects require access while 
under stress 


2) To determine the magnitude of a learning curve associated with retinal 
recognition devices, and how best to employ this information 


3) To test TYPE I and TYPE II error rates when the hand held ICAM 15 


4) To operationally test a retinal recognition computer access control system. 


APPENDIX A 
COMBINING DATABASES 


It is possible to upload two separate databases into the 7.5 system’s bubble 
memorv to form a database that is a combination of the two. For this experiment, this 
process has saved time and increased flexibilitv as the three database sizes and the 
three files of enrollment scans where mixed in the various combinations. The software 
package that comes with the 7.5 svstem indirectly allows one database to be inserted 
into bubble memory, where another database 1s alreadv stored. 

ne 7.5 system has a very simple database management system that uses a 
Personal Identification Number (PIN) as the primary Key that is stored with the 
individual's reference tempiate data. The PINs are stored in sequential order. The 
Soler 1s even the option of assigning the PIN, or the system will assign them 
automaticaily ov filling up the lower PINs first. The PIN can not be changed once it 
has been assigned to the reference template data. This allows two or more databases 
to be combined with out destroying data, if there are no two identical PINs occupied 
with data between the databases. If there are identical PINs occupied, then the most 
recently added reference template will replace the previous template. All other data 
will remain unchanged. 

The key to combining databases is to assign PINs during enrollment which are 
not already assigned in the other database. Unless one intends on combining 
databases, it 1s recommended to erase the bubble memory first. This will help to 
ensure that memory only contains the templates that were last inserted. 

For this experiment, a total of 6 floppy disks were used. There were 3, which 
stored the 300, 600, and 1200 template databases, and 3, to store the 3, 3, and 7 
enrollment reference templates for the subjects. The bubble memory was empty for 
each of the enrollment sessions, so the subjects filled the first 22 PIN locations 
automaticallv. The 300, 600, or 1200 template database would be uploaded to memory 
first, in the manner described in the USER MANUAL. The 22 templates for the 
subjects would be uploaded second, and would over write these first 22 PIN locations 


in memory and would not affect the rest of the database. 
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APPENDIX B 
TRIMMING DOWN A DATABASE 


These procedures describe how to trim down a larger database to a smaller size, 
as was required for this experiment. The software will onlv allow one template to be 
deleted at a time or the entire memory, there is no in between Whee ous 
templates might be deleted. To delete one template oniy takes a few seconds. DUO 
delete 600 takes considerable time. This set of procedures will oniv trim the latter part 
of the database; which means, one can delete all templates past a certain point. This is 
due to the way the software sequentiallv fills the bubble memory starting with the 
lowest PIN to the highest PIN with a template. By monitoring the svstem's progress, 
then halting execution when the desired number of templates have been transferred to 
memory, any size database can be formed trom a larger one without a great loss oF 
time. 

Once the upload process has been initiated as per the LSER’s MANUAL, note 
the time that the upload started. It takes a little over 2 seconds to transfer one 
template from a disk to memory, so if 300 templates are to be transferred, plan on 
about 10 minutes before the next step needs to be performed (2 seconds sue 
templates / 60 seconds = 10 minutes ). One can monitor the progress of the transfer 
by using the list function offered to allow one to display the PINs and identifiers 
currently in memory. If a range of PINs are inputted, the list function will display 5 at 
a time until the end of the range is reached or until there is no more occupied PINs to 
display. One can enter a range of PINs many times to monitor the progress. When 
the desired number of templates have been transferred, execution can be halted by 
pushing Control "C^ or Control Scroll Lock on the microcomputer s keyboard. This 
will get one close to the desired number. The exact number can be achieved through 


deletion of one template at a time. 
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